As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

+

+

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

+

+

+

'''Rikard Bodforss'''

+

+

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

+

+

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.

+

Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!

+

You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

+

+

+

'Mattias Weckstén''

+

+

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

+

+

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.''

''3-from-1 Mikko Saario''

''3-from-1 Mikko Saario''

−

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.”

+

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

As with most things in life, dealing with security incidents is something you need to prepare and train for. Once a security incident has been declared you will need to do a number of things simultaneously, an essential part of which is the gathering of evidence to the facts. There are lots of considerations to be made and usually a lot of people to lead and/or coordinate. Understanding the risks and the pit-falls, working disciplined, knowing the dos and don’ts and keeping a cool head may very well save the day. Even of you as an incident handler do not do the actual forensics, you need to know what happens, when and how, in order to make the best of the possibilities you have - as you are always at a disadvantage of the perpetrator.

I am a Senior Security Investigator at TeliaSonera CERT Coordination Centre, I have my offices in Copenhagen, but TS-CERT serve the entire TeliaSonera Group and fully owned companies in 17 countries. I have more than 25 years of experience in working with IT and 12 of those have been spent as a security professional. I have been half of that at DK*CERT, UNI-C, the CERT for the Danish education- and research network as well as the general public and the rest in various functions at TeliaSonera. I have also worked independently, doing forensics, for the Danish Police, several news media and as a specialist for the Danish Judicial system. I am a GIAC certified Forensics analyst and Incident Handler and do most of the ‘hands-on’ disciplines within IT and Mobile Forensics as well as penetration testing, security auditing and most, if not all other aspects of IT security and physical security. I am not and do not wish to be a public figure.

Rikard Bodforss

Understanding of how different acquisition methods affect the system is important when examining the collected evidence and can be critical if the case ends up in a court of law. Rikard will give a hands-on demonstration of forensic artifacts from different routine tasks. The demonstration will give a basic understanding of how delicate the system is and why some acquisition methods leave a bigger footprint than others.

Rikard Bodforss is a security advisor at Omegapoint in Gothenburg, Sweden. He has over twenty years of experience from the IT industry and most of that working with information- and IT-security. He has held positions as Global Perimeter Protection Manager and Head of Forensics within Volvo Group. Now he is working with clients from many different industries like; critical public utilities (SCADA security), banking, automotive, retail and trade. His area of expertise ranges from very technical security, like forensics, to information security governance.
Rikard holds a CISSP and a CISA certification, and was awarded the ISACA Thomas Fitzgerald Award in 2009 for acheiving the highest score in the world on the CISA exam. He is a very popular speaker at national and international conferences and promises to deliver a talk you do not want to miss!
You can follow him on Twitter @rbodforss and listen to him (in Swedish) at sakerhetspodcastem.se where he is a co-host.

'Mattias Weckstén

A short talk about the IT-forensic program at Halmstad university, our view of the IT-forensic investigator, courses and skills taught and the future of the trade. The talk will be concluded with an overview of a selection of previous and current thesis projects.

Mattias is adjunct in computer engineering with a specialization in it-forensics at Halmstad University. Teaching a multitude of technical aspects of the trade of manual digital forensics. Promoting it-forensic awareness through popular science in modern media.

In this talk, we look at some common security pitfalls in mobile application development. We also take a peek inside the iGoat training application, an OWASP project aimed at educating mobile developers in secure programming. Finally, we look briefly on how to you can assess the security of your backend by using burp proxy to intercept and modify your mobile phone’s traffic in transit.

3-from-1 Mikko Saario

In the first part of the talk, Mikko will take a quick look at various hybrid environments available for ‘mobile’ app developers – showing how the ‘desktop web’ and ‘mobile web’ are converging and what kind of fundamental security mechanisms do or do not exist in them to protect the user. The second part will take a look at recent developments in the web standards bridging these two worlds even closer to each other than ever before – perhaps even making native apps … redundant at some point? Finally, switching to something completely different, Mikko will share his experiences working with an agile team and helping them build more secure products. The talks are accompanied with small demos and use cases to show some of the discussed topics in real life.

Developers frequently see the need to be able to request data from several sources on different domains.
Traditionally this has been solved in many ways, some of them not very secure. We will take a look at
some of these approaches, why they are flawed, and why the new approaches are better. We will also
look at common mistakes made when setting up cross domain communication.
We will also take a look at some of the new browser security features, and how these support cross
domain communication and can help mitigate other security problems.

Jim Manico is a profile in the OWASP community, working with the OWASP podcasts and ESAPI amongst other things. During March he is doing a Nordic tour and will be visiting the chapters in Finland, Sweden, Norway and Denmark and we have the pleasure of welcoming him to Gothenburg on March 22.

Chalmers University of Technology is sponsoring the venue and will also provide some light snacks, coffee beer as well as non-alcoholic drinks. Jim's visit is made possible thanks to F5.

Please note that the event will be held in English.

Abstract: Web Application Access Control Design Excellence
Access Control is a necessary security control at almost every layer within a web application. This talk will discuss several of the key access control anti-patterns commonly found during website security audits. These access control anti-patterns include hard-coded security policies, lack of horizontal access control, and "fail open" access control mechanisms.

In reviewing these and other access control problems, we will discuss and design a positive access control mechanism that is data contextual, activity based, configurable, flexible, and deny-by-default - among other positive design attributes that make up a robust web-based access-control mechanism.

Martin Holst Swende is a security consultant at the Swedish company 2Secure, where he primarily is involved with application security testing, but also does network penetration testing, IT forensics and source code auditing. Martin has a background as an Ms.C in Computer Science and Engineering from Linköping University and worked as a software developer for among others Yahoo before entering the field of security. Martin is the project leader for the Owasp Hatkit and the Owasp Hatkit Datafiddler projects.

Presentation abstract

The Hatkit Project was created to provide a framework for web application security testing. It consists of two parts; the Hatkit Proxy and the Hatkit Datafiddler. The proxy is a minimalist intercepting proxy which records data to a MongoDB database, while the Datafiddler is a tool to view, sort, filter, aggregate, replay and analyse data through a lot of different mechanisms, with the aim of providing a highly customizable framework which can be used to analyse modern complex web applications.
The tools became Owasp projects in 2011.

Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for the Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. Stefano is recognized as one of the top application security researchers. In past years he released several cutting edge security advisories and researches presented at several international events (Flash application security testing, Subverting Ajax). He is the Research & Development Director of OWASP Italian Chapter and contributor to several chapters of the OWASP testing guide.

Presentation abstract

Cross Site Scripting is one of the most difficult issues to fix since it involves several contexts on different platforms. And it is well known. With the advent of complex web application with heavy client side programming, DOM based Cross Site Scripting is becoming more and more interesting in the application security field. The difference between vanilla Xss and the latter is how hard is to find issues among thousands of JavaScript lines of code, and how contexts and attacks move from classical HTML format and client side execution to programming logic and paradigms. This talk will try to fill the emptiness of awareness about DOM Xss by showing new attacks and a new analysis technique whose implementation is a tool named "DOMinator". DOMinator is a Firefox based application that can ease the pain of finding DOM based Cross Site Scripting issues by using runtime tainting analysis at JavaScript level.

15 years ago the concept of "Same-Origin Policy" (SOP) was introduced. SOP controls the interaction between web browser components. Current web applications differ radically in how they interact and they also use certain "hacks" to bypass the outdated policy. Jonas Magazinius introduces ongoing research at Chalmers University regarding programming language security and how a fine granular policy can replace SOP by allowing more interaction without compromising security.

Omegapoint are sponsors and there will be lighter food and beers. Omegapoint is located at Rosenlundsgatan 3, Göteborg. The event will start at 5 pm and end around 8 pm. To sign up for the event, please visit this site.

July 4th, 2011 - OWASP-Gothenburg opens!

Finally, OWASP Gothenburg has been formed, bringing application security closer to developers and security professionals on the west coast of Sweden. Ulf, Mattias and Jonas, the local chapter leaders, welcome members!

Deltagande

OWASP Foundation is a professional association of global members and is and open to anyone interested in learning more about application security. Local chapters are run independently and governed by the following Chapter Leader Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of a meeting venue and/or refreshments is tax-deductible. Financial contributions should be made online using the online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.